Security

Securing Community Networks

Emerging networking technologies have an urgent need for a first-class set of features that address the problems of direct device-to-device introduction, authentication, and trust management

Identity Attacks on Decentralized Trust Models

Traditionally, it is easy to assign identities to devices and users within a community: choose one member to issue an electronic identity to each new member. With centralized credentialing, the major worry is impersonation attacks, where one party steals and uses the identity of another. Completely decentralized domains introduce new challenges, as a party might acquire multiple identities from different issuers. The exchange of trust evidence and trust values in our model is based on the assumption that distinct members have unique identities, and their opinions are independent; this assumption is critical to our model. Without this assumption, entities cannot be held responsible for either their actions or for the recommendations they render. In this section we discuss several common identity attacks and potential countermeasures.

Identity Attacks

Distributed trust calculation is particularly sensitive to three kinds of identity attacks:

Masquerade. This kind of attack allows an attacker to use the identity of a legitimate community member. Masquerading attacks violate the requirement in trust calculus that recommendations can be attributed to the member allegedly sharing an opinion.

Sybil. This kind of attack occurs when the attacker uses multiple identities simultaneously in the same community to take advantage of distributed trust calculations. Sybil attacks violate the requirement in the trust model that every member should contribute only one vote to each trust decision. Arbitrary Sybil attacks allow the attacker to disproportionally weight its own contributions to a trust calculation, thereby increasing its own influence beyond what it is entitled to, based on its reputation.

White-washing. This kind of attack is similar to that of a Sybil attack, but it differs in that the attacker quickly changes its identity to avoid the consequences of its own actions. White-washing attacks violate the same fairness requirement as the Sybil attacks. In addition, they also violate the accountability requirements in the trust model, that state that each member should commit to the consequences of its own actions, including contributing opinions to the trust evaluation. This commitment is required so that community members can build stable trust relationships within the community. If the entity changes its identity quickly, its actions are not accountable, and the consequences of its actions cannot be bound effectively to the perpetrator.

Countermeasures for Identity Attacks

Potential countermeasures to identity attacks belong to two general categories: prevention or detection.

In centralized trust management systems, it is relatively easy to deploy a prevention mechanism to stop attackers from creating multiple identities illegally, because all the identity credentials are generated by the centralized authority. In the decentralized case, however, detection is a more effective countermeasure. One of our research hypotheses has been that the consensus-building nature of our trust model makes it suitable to detect Sybil and white-washing attacks. The goal is to minimize the risk that a member can illegitimately deny an identity previously acquired from the community.

In our trust model, trust requires consistent attribute usage, so a communal consensus about each member's attributes becomes feasible, and access to the community's resources can be regulated by the relationships maintained through time. The trust on an identity is established by building a device profile of attribute usage and verifying that the device profile is consistently mapped to the acquired device name. In other words, the community members build the initial binding of the device profile and device name, propagate this knowledge, and eventually build the communal consensus on the bindings. If the attacking device uses a different identity by modifying any of the bound attributes, this will be detected by other community members, who can then deny the attacker resources afforded through existing relationships within the community.

In order to detect the mis-bindings, the device profile contains a set of measurable device attributes. It is not required that a single attribute be able to uniquely identify the device. Together, the combined probability of forming a unique device identifier should be reasonably high. In particular, it is preferable that the attributes are tied to device hardware or the surrounding physical environment. In effect, the cost of creating a new identity for the device is close to the cost of changing all the hardware attributes in the device profile. Consequently, buying a new device becomes probably the only viable option for the attackers to create a new identity. Next, we suggest three types of attributes that can help with device profiling.

Attributes for Identifying Other Devices

We examine three types of attributes for machine identification: radio attributes, hardware platform attributes, and behavioral attributes, such as network activity:

Radio attributes. Wi-Fi, Bluetooth, and other radio-based communications devices are now ubiquitous in mobile devices. Radios may have a number of attributes that can be measured and shared:

Received signal strength indication (RSSI). RSSI is a transient attribute that could be used to detect some types of Sybil attacks. Cheriton and Faria report [13] that the signal strength measurements of a target by different receivers consistently correlate; [14] and [15] suggest a similar technique. This means it should be feasible to detect whether a device is changing low-level identifiers such as a MAC address. A community member utilizing shared RSSI values measured from the target devices can decide whether the frames sent, using different identities, render the same RSSI profile and therefore match the same physical device. We plan to design a distributed solution that utilizes a subset of real-time RSSI data.

A second line of investigation shows that every radio has unique fingerprints. A fingerprint is a measurable characteristic, such as the rise time of the first symbol beginning a radio transmission. In [16], Xiao et al. propose using radio fingerprints as a way to recognize devices. If radio fingerprinting proves to be practical, it could be used to detect identity attacks. In particular, a radio fingerprint could be bound to an identity certificate and the radio fingerprint database that was searched, prior to issuing a credential to a new party joining a community.

Hardware measurements. A typical personal computer contains a list of hardware identifiers or serial numbers to identify each piece of hardware inside the computer. There are two challenges inherent in using such information. First, these identifiers should be externally measurable; that is, there should be ways that allow the measuring entity to retrieve such information on the target entity over the network. The second challenge is the non-repudiation of measured data. Trusted hardware from a device, such as the trust platform module (TPM), may be used to store and communicate the measurement data in order to avoid malicious change of information when it flows through potentially malicious OSs.

One particular TPM-related mechanism is to have the hardware record the community ID for every community joined, and to maintain this as a list in sealed storage. An issuer can then query the TPM of the enrollee about whether it is already a member of the community into which the enrollee wants to enter, and the TPM will provide a zero-knowledge proof that the new community is not already on its list. The zero knowledge proof will fail if the enrollee has already joined the community, thus making Sybil and white-washing attacks more difficult.

Network activity correlation. This kind of attribute is transient; yet, it is useful for building correlations between entities in the network. For instance, tables used by the address resolution protocol (ARO) on hosts reveal recent IP and MAC address bindings in the network. Information from multiple nodes may be useful to build consensus on the correct usage of MAC addresses by members. Another way to get information would be to use routing tables. Routing table entries from multiple nodes in the network help to build topological relationships between devices in the network, that can sometimes be used, together with other localization techniques, to help distinguish unique devices.

Related Work

Our work is inspired by Gligor's analysis [4]. He advocated that trust establishment is an emergent property in ad hoc networks, and trust relationships may need to be established among nodes after network emergence. Hence, trust establishment has to be based on dynamic evaluation of evidence about a node and not just on a statically defined relationship with a single third party. He also urged the design of evidence-evaluation metrics to assign low certainty to evidence from questionable sources while still achieving an acceptable number of false positives. We take this a step further and use identities to signify relationships and verify entity uniqueness to examine the evidence in question.

Previous work has also proposed several variants of the distributed trust model. Eschenauer et al. introduce the general principles of trust establishment in mobile ad hoc networks [3]. Many researchers assume the transitivity of trust to establish a relationship between two entities without the necessary prior interactions. The trust evaluation is modeled as a path problem in a directed trust graph. Theodorakopoulos and Baras [8] extend the PGP model to use second-hand evidence. However, their trust evaluation assumes independent opinion sources. Reiter and Subblebine advocate that trust calculation has to be based on multiple non-intersecting paths [6]. They propose algorithms to identify trust paths in the trust graph. Unlike our model, their work still assumes every entity offering opinions is distinct.

Several papers [7, 17, 18, 19, 20, and 21] adopt the idea that trust can be established through direct observations or through third-party recommendations. Sun et al. represent trust as uncertainty, computed by using entropy [7]. Zouridaki et al. use modified Bayesian approaches to build trust and reputation systems by using second-hand information [21]. Jiang and Baras use weighted voting algorithms to deal with conflicting opinions [5, 17]. The model favors local interactions over second-hand opinions. Several works use Dempster-Shafer Theory (DST) for trust evaluation [19, 20] to take into account the uncertainty of evidence that cannot be evaluated by using Bayesian methods. Raya et al. [20] propose evaluating data-centric trust in vehicular ad hoc networks (VANETs). They use simulations to evaluate algorithms by using weighted voting, Bayesian methods, and DST, and they conclude that each method has its own strength in different networks; however, they hold that DST is best suited to the decision logic requirements in a time-critical vehicular network.

In addition to trust evaluation, there are a few works on trust evidence generation and distribution. Eschenauer et al. describe examples of generic evidence generation and distribution in a node-centric authentication process [3]. Hubaux et al. Propose a model to build partial local certificate repositories for PGP [22]. Jiang and Baras propose an ant-based routing algorithm to search for trust evidence in ad hoc networks [23].

Conclusions and Future Research Directions

In this article, we present a paradigm of a distributed trust model generalizing beyond the enterprise model to ad hoc, mesh, and self-organizing networks, where every member can serve as an authority to enroll and authenticate devices for the community. Our model elevates the problems of on-line evidence evaluation and bootstrapping trust to first-class concerns and proposes solutions to address these problems. We focus on designing credentials to signify the trust relationships that emerge within a community and suggest a novel identity-laundering concept to establish new relationships from pre-existing trust relationships rooted in different administrative domains. We also extend the existing trust propagation models to incorporate both negative opinions and social relationships.

This work opens a new research area for trust management. A number of open problems remain. We plan to design a self-organizing information distribution system suitable for trust evidence dissemination in various network sizes and topologies. Another area for future work is identifying appropriate trust calculus and trust metrics for evaluating various first-hand trust evidence and computing initial device reputation.

This article and more on similar subjects may be found in the Intel Technology Journal, June 2009 Edition, "Advances in Internet Security". More information can be found at http://intel.com/technology/itj.

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task.
However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

Video

This month's Dr. Dobb's Journal

This month,
Dr. Dobb's Journal is devoted to mobile programming. We introduce you to Apple's new Swift programming language, discuss the perils of being the third-most-popular mobile platform, revisit SQLite on Android
, and much more!